Post

OverTheWire Bandit: Level 20 to Level 21

OverTheWire Bandit: Level 20 to Level 21

The Goal

A setuid binary called suconnect connects to a port on localhost. If it receives the correct password for bandit20, it sends back bandit21’s password. The challenge: you need a listener running and ready before suconnect connects to it — both things have to happen at the same time in one terminal.

What I Did

Listed the home directory and ran the binary without arguments:

1
2
3
4
bandit20@bandit:~$ ./suconnect
Usage: ./suconnect <portnumber>
This program will connect to the given port on localhost using TCP.
If it receives the correct password from the other side, the next password is transmitted back.

Confirmed it was setuid:

1
2
bandit20@bandit:~$ ls -l suconnect
-rwsr-x--- 1 bandit21 bandit20 15604 Jun 24 14:59 suconnect

Owned by bandit21 with the setuid bit set — it runs as bandit21, which means it can read /etc/bandit_pass/bandit21.

Setting Up the Listener with Job Control

Started netcat as a listener in the background using &:

1
2
nc -l -p 1234 &
[1] 538

This put nc in the background. The [1] is the job number. The terminal returned immediately, ready for the next command.

Ran suconnect also in the background:

1
2
./suconnect 1234 &
[2] 548

Brought the nc listener to the foreground so I could type into it:

1
2
fg %1
nc -l -p 1234

Typed the bandit20 password:

1
2
3
4
5
4pIjcunZ0fK2vmp3IwfG8Vf7VhxD6pOA
Read: 4pIjcunZ0fK2vmp3IwfG8Vf7VhxD6pOA
Password matches, sending next password
bW9kBv5WC3P4yoDyf12LSdGuNz5ka6hY
[2]   Done                       ./suconnect 1234

How Job Control Works

Linux job control lets you manage multiple processes within a single terminal session:

CommandWhat it does
command &Starts a command in the background immediately
Ctrl+ZSuspends (pauses) the current foreground process
bgResumes a suspended process in the background
fgBrings a background or suspended process to the foreground
jobsLists all background and suspended jobs
fg %1Brings job number 1 specifically to the foreground

The flow in this level:

  1. Start nc listener in background with &
  2. Start suconnect in background with &
  3. Bring nc to the foreground with fg %1
  4. Type the password — nc sends it to suconnect
  5. suconnect validates it and sends back the next password

Alternative Methods

Piping the password directly into nc:

1
2
echo "4pIjcunZ0fK2vmp3IwfG8Vf7VhxD6pOA" | nc -l -p 1234 &
./suconnect 1234

This pipes the password into nc before it starts listening, so when suconnect connects, nc automatically sends the password without needing interactive input.

Using tmux:

1
tmux

Split the terminal into two panes with Ctrl+B then %. Run the listener in one pane and suconnect in the other. No job control needed — each pane is an independent shell.

Using screen:

1
screen

Create two windows with Ctrl+A then c. Switch between them with Ctrl+A then n. Same idea as tmux but older interface.

What I Learned

Job control is essential for running multiple things in one terminal. The & operator is the most commonly used — it lets you start a background process and immediately get your prompt back.

fg %n specifies which job to bring forward. Without the number, fg brings the most recent job. With %1 you control exactly which one.

Netcat in listener mode waits for a connection. nc -l -p PORT sits waiting until something connects. Once a connection arrives and the session ends, it exits. Use -k to keep listening for multiple connections.

tmux and screen solve the same problem differently. Job control uses one shell and switches between processes. tmux and screen give you genuinely separate shells running simultaneously — more flexible, especially over SSH where you might lose connection and want sessions to survive.

Commands Used

CommandWhat it did
nc -l -p 1234 &Started netcat listener on port 1234 in background
./suconnect 1234 &Started suconnect in background
fg %1Brought nc to foreground to type the password
jobsChecked what was running in background
This post is licensed under CC BY 4.0 by the author.